<!DOCTYPE html>
<html>
<head>
<title>Embedded Enforcement: Allow-CSP-From header.</title>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="support/testharness-helper.sub.js"></script>
</head>
<body>
  <script>
    var tests = [
      { "name": "Same origin iframes are always allowed.", 
        "origin": Host.SAME_ORIGIN,
        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 
        "allow_csp_from": "¢¥§",
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": null},
      { "name": "Same origin iframes are allowed even if the Allow-CSP-From is empty.", 
        "origin": Host.SAME_ORIGIN,
        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 
        "allow_csp_from": "",
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": null},
      { "name": "Same origin iframes are allowed even if the Allow-CSP-From is not present.", 
        "origin": Host.SAME_ORIGIN,
        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 
        "allow_csp_from": null,
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": null},
      { "name": "Same origin iframes are allowed even if Allow-CSP-From does not match origin.", 
        "origin": Host.SAME_ORIGIN,
        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 
        "allow_csp_from": "http://example.com:888",
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": null},
      { "name": "Cross origin iframe with an empty Allow-CSP-From header gets blocked.", 
        "origin": Host.CROSS_ORIGIN,
        "csp": "script-src 'unsafe-inline'", 
        "allow_csp_from": "",
        "expected": IframeLoad.EXPECT_BLOCK,
        "blockedURI": null},
      { "name": "Cross origin iframe without Allow-CSP-From header gets blocked.", 
        "origin": Host.CROSS_ORIGIN,
        "csp": "script-src 'unsafe-inline'", 
        "allow_csp_from": null,
        "expected": IframeLoad.EXPECT_BLOCK,
        "blockedURI": null},
      { "name": "Cross origin iframe with correct Allow-CSP-From header is allowed.",
        "origin": Host.CROSS_ORIGIN,
        "csp": "style-src 'unsafe-inline'; script-src 'unsafe-inline'", 
        "allow_csp_from": getOrigin(),
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": null},
      { "name": "Iframe with improper Allow-CSP-From header gets blocked.", 
        "origin": Host.CROSS_ORIGIN,
        "csp": "script-src 'unsafe-inline'", 
        "allow_csp_from": "* ¢¥§",
        "expected": IframeLoad.EXPECT_BLOCK,
        "blockedURI": null},
      { "name": "Allow-CSP-From header with a star value allows cross origin frame.",
        "origin": Host.CROSS_ORIGIN,
        "csp": "script-src 'unsafe-inline'", 
        "allow_csp_from": "*",
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": null},
      { "name": "Star Allow-CSP-From header enforces EmbeddingCSP.", 
        "origin": Host.CROSS_ORIGIN,
        "csp": "script-src 'nonce-123'", 
        "allow_csp_from": "*",
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": "inline"},
      { "name": "Allow-CSP-From header enforces EmbeddingCSP.", 
        "origin": Host.CROSS_ORIGIN,
        "csp": "style-src 'none'; script-src 'nonce-123'", 
        "allow_csp_from": getOrigin(),
        "expected": IframeLoad.EXPECT_LOAD,
        "blockedURI": "inline"},
    ];

    tests.forEach(test => {
      async_test(t =>  {
        var url = generateUrlWithAllowCSPFrom(test.origin, test.allow_csp_from);
        assert_iframe_with_csp(t, url, test.csp, test.expected, test.name, test.blockedURI);
      }, test.name);
    });
  </script>
</body>
</html>
